I am a programmer trying to break in the Sec business...I'm excited about all the new things to learn and cool people to meet here.

I have a question, i don't know if anyone here can offer some guidance.

I am "technically" done with the Practical part of the CPT as i've gained the root passwords for both of the VM's however, the instructions given to me dictate that i do a privilege escalation exploit on the second VM after i have obtained some level of access...

i did get root to the first VM and after getting all of the accounts on that one i got user level access to the other VM but after trying a gazzilion things i finally gave up and "pretended" i had physical access to the second VM, booted up a live image, got a copy of the shadow file to my attack VM via SSH and then managed to crack the root password with john.

Do you think this will be a problem? in the end i got the existing root pass which was my assignment but i am not sure if the CPT people are going to like the way i got the shadow file.

i know there are multiple ways to skin a cat but my expertise level was obviously not enough to do a local privilege esc.

Any help of guidance would be greatly appreciated.

ps: i dont want someone to tell me how to do it, i have really enjoyed the challenges and want to "EARN" my cert, however, i dont want to send my report like this and end up failing.

THANKS!

Last edited by SamoletMaj on Sun Jun 03, 2012 11:15 am, edited 1 time in total.

I don't remember the exact wording of the instructions I was given when I took the exam, but I'm pretty sure the goal was to obtain access through the other machine and do some kind of privilege escalation afterwards.I don't think going the easy way through 'pretending I have physical access' would adhere to the rules. To be on the safe side, I'd just drop a message to exams@iacertification.org and ask directly at the source.

There are a couple of exploits that will work - some might work without further modifications, some might need some minor tweaks. Just downloading and running exploits won't do any good, you need to do a proper enumeration of your targets.

Some things to look for:

Check which OS in which version is running on which kernel version

Check the environment variables

Check running services, their version and under which user they are running

aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW's for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.

I did run exploits for the specific os on the running kernel but i did not modify any of them.I also ran exploits to specific versions of services.

Thanks for the Tip aweSEC, i tried to do a good Job enumerating but again i am afraid to be in a situation of : "i don't know what i don't know"

SephStorm, i don't want to post it here but i can tell you on which word-list the pass was found. I was also afraid of this because i read online some guys setting up clusters of computers in order to do a distributed john against the shadow and it didn't work. yikes... But once i got that word-list, i ran it for maybe 2 hours and the password was cracked.

SephStorm wrote:aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW's for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.

Weird how we all have different experiences. I got the password in under an hour (maybe 30ish or so minutes). Local "kernel" compromise/escalation (spoiler alert there) took me about 10 minutes off the uname.

I try to tell / write / inform testers, one needs to literally get a storage device, create dirs (Windows, Linux, Solaris, etc) then subdivide those folders into something like Local/Remote further subdivided again:

i have tried pretty much every kernel exploit out there written for my specific kernel and it has worked for a ton of guys, just not me! I've been at it for about 6 days off the uname and nada...

i'm moving on to another angle, and i am waiting for a response from IACRB... i will post up.

Sometimes it not about finding a kernel level exploit that matches your EXACT kernel. Sometimes its about finding one that causes an outcome and investigating from there. E.g., If you're on say 2.4.20 and you can find something like a 2.6 exploit, try to see what occurs when running. Does it crash an application, if so can you figure out what its doing via gdb.

Oh lord, serendipity......I went back to look at some exploits i had downloaded in the pastAnd decided to look trough some of the code and i found a notefrom the developerTo compile with -static, did that and presto, root shell...

Typical case of RTFM...

Mission acomplished.

Thank you all for the comments i am really looking forward toLearning more about this business.

I think that ISI has different exam images. Its a good thing, if you did some looking, you can find an report but while the usernames were the same as my exam, all of the root passwords were different.

Once you get the root password for both machines the practical side of the cert is done and there is nothing else that you really have to do. Turn your report in and be happy that you got the cert. Just make sure everything is documented.

I just passed this in December and thought I failed but a few days later got word that I passed.